b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n                            Office of Inspections and Evaluations\n\n\n\n\n                The Program to Protect Hardcopy Personally\n                Identifiable Information Is a Work-in-Progress\n\n\n\n                                      September 12, 2008\n\n                             Reference Number: 2008-IE-R002\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                  DEPARTMENT OF THE TREASURY\n                                                         WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                                September 12, 2008\n\n\n MEMORANDUM FOR DEPUTY COMMISSIONER, OPERATIONS SUPPORT\n\n\n FROM:                          Philip Shropshire\n                                Acting Deputy Inspector General for Inspections and Evaluations\n\n SUBJECT:                      Final Inspection Report \xe2\x80\x93 The Program to Protect Hardcopy Personally\n                               Identifiable Information Is a Work-in-Progress (Inspection\n                               #200810IE008)\n\n This report presents the results of our inspection to determine what actions the Internal Revenue\n Service (IRS) is taking to protect hardcopy personally identifiable information (PII)1 that is\n shipped from office to office and how the IRS responds when a disclosure of hardcopy PII\n potentially occurs.\n\n Impact on the Taxpayer\n Every year, the IRS mails hardcopy PII in millions of packages and letters by commercial\n carriers and the United States Postal Service. While the overwhelming majority of commercially\n shipped packages reach their destinations without incident, the few packages that are\n compromised present opportunities for identity theft. Taxpayer confidence that information sent\n to the IRS is properly protected from identity theft is critical to the voluntary compliance system.\n\n\n\n\n 1\n   Personally identifiable information (PII) refers to information that can be used to distinguish or trace an\n individual\xe2\x80\x99s identity, such as their name, Social Security Number, biometric records, etc., alone or when combined\n with other personal or identifying information which is linked or linkable to a specific individual, such as date and\n place of birth, mother\xe2\x80\x99s maiden name, etc. Hardcopy PII is in paper or other physical form rather than in electronic\n format, such as on a laptop.\n\x0c                The Program to Protect Personally Identifiable Information Is a\n                                     Work-in-Progress\n\n\n\n\nSynopsis\nIn recent years the public has become increasingly aware that their PII can be compromised\nwhile in the possession of a third party. Identity theft victims have shared their stories of how\ntheir lives have been turned into chaos. Several highly publicized data breaches, generally\ninvolving electronic data files, have taken place in both the private and public sectors. The IRS\nis responsible for protecting electronic PII for its employees and millions of taxpayers.\nAdditionally, the IRS still has millions of paper records with PII that must be shipped from one\nlocation to another.\nThe IRS ships packages primarily via the United States Postal Service and the United Parcel\nService (UPS). In Fiscal Year 2007, the IRS sent over 150 million pieces of mail to taxpayers\nthrough the United States Postal Service and more than 3 million packages were shipped via\nUPS. While some UPS packages are damaged, misdirected or lost, disclosures from these types\nof incidents are minimal. However, to the taxpayers whose PII is compromised, the potential for\nidentity theft is a valid concern.\nThe IRS established the Privacy, Information Protection and Data Security Office ([PIPDS]\nhereafter referred to as the Office) to protect sensitive data by reducing the risk of inadvertent\ndisclosures. Since its establishment in July 2007, the Office has investigated over 300 potential\ndata breaches to determine whether taxpayer notification is appropriate. They have also hired a\nconsulting firm to review procedures associated with shipping documents between IRS offices.\nThe Office also has studied and developed recommendations to reduce the use of Social Security\nNumbers (SSN) when appropriate. Finally, the Office is spearheading the Operation R.E.D.\n(Review, Encrypt, Decide) initiative, designed to remind IRS employees how to protect PII.\nWe recognize that many problems with hardcopy PII protection have been long-term problems\nand will not be easily solved. The Office has identified these problems and either has plans or\nhas already initiated actions to address them. Our inspection identified some areas where\nadditional actions could improve operations.\nFirst, we found that hardcopy PII cases could not be readily distinguished from electronic PII or\nmixed media incidents in the incident reporting database. Second, not all packages contain a list\nof items shipped, and package originators do not always monitor package delivery and initiate\nappropriate actions if packages are lost. Third, formal procedures to improve how packages are\nassembled and shipped have not been issued. Fourth, the study on shipping hardcopy PII being\nconducted by a consulting firm did not include shipments to Federal Records Centers.\n\nRecommendations\nWe recommend that the Director of PIPDS collaborate with the Director, Computer Security\nIncident Response Center (CSRC), to develop a new incident code that clearly separates\n\n                                                                                                    2\n\x0c                The Program to Protect Personally Identifiable Information Is a\n                                     Work-in-Progress\n\n\n\nhardcopy PII loss from other types of losses; require originators to maintain a list of the package\ncontents to enable the IRS to identify lost items and whom to notify; reinforce the need for\nmandatory monitoring of all packages by the originator to ensure receipt; and initiate follow-up\nactions as appropriate. Also, the PIPDS Director should monitor actions to ensure that planned\nenhancements to shipping procedures are made formal and perform a risk assessment on the\nshipment of documents to Federal Records Centers.\n\nResponse\nIRS management generally agreed with our recommendations. The CSIRC database has the\nnecessary capability for data loss reporting and tracking processes. PIPDS will continue to\nupdate reporting and tracking processes to support identifying trends and develop mitigation\nstrategies. Also, a review of the Document Transmittal, Form 3210, will be included in the\ncurrent SSN Elimination and Reduction initiative, and the effectiveness of the document\ntransmittal process will be evaluated during a shipping process risk assessment. The assessment\nis being conducted to provide further insight and validation for the enhancements identified to\nstrengthen shipping procedures and other improvement opportunities. The Director, PIPDS will\ncontinue to work with key stakeholders to implement the procedural improvements to strengthen\nIRS shipping procedures. Management also agreed to expand the scope of the shipping process\nrisk assessment to include shipping tax returns and other taxpayer and employee hard copy data\nfrom IRS facilities to the Federal Record Centers. Management\xe2\x80\x99s complete response to the draft\nreport is included as Appendix IV.\nPlease contact me at (202) 927-7048 if you have questions or Kevin Riley, Acting Director,\nInspections and Evaluations, at (972) 249-8355.\n\n\n\n\n                                                                                                  3\n\x0c                      The Program to Protect Personally Identifiable Information Is a\n                                           Work-in-Progress\n\n\n\n\n                                             Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          The Office of Privacy, Information Protection and Data Security Has\n          Significant Accomplishments in Less Than a Year of Operation.................Page 3\n                    Recommendation 1:..........................................................Page 6\n\n                    Recommendations 2 and 3: ................................................Page 8\n\n                    Recommendation 4:..........................................................Page 9\n\n          Summary .......................................................................................................Page 11\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 12\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 14\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 15\n          Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 16\n\x0c         The Program to Protect Hardcopy Personally Identifiable\n                   Information Is a Work-in-Progress\n\n\n\n\n                     Abbreviations\n\nCSIRC          Computer Security Incident Response Center\nFISMA          Federal Information Security Management Act of 2002\nIRS            Internal Revenue Service\nOMB            Office of Management and Budget\nOPIP           Office of Privacy and Information Protection\nPII            Personally Identifiable Information\nPIPDS          Privacy, Information Protection, and Data Security\nR.E.D.         Review, Encrypt (and/or safeguard), Decide\nSSN            Social Security Number\nUPS            United Parcel Service\n\x0c                        The Program to Protect Hardcopy Personally Identifiable\n                                  Information Is a Work-in-Progress\n\n\n\n\n                                             Background\n\nMany Americans each year suffer the financial and\nemotional trauma caused by identity theft. While the                     \xe2\x80\x9c... the problem of identity theft has\n                                                                              become more complex and\nrisk has greatly increased because of electronic record-                  challenging for the general public,\nkeeping, the concern about protecting hardcopy                             the government, and the private\npersonally identifiable information (PII)1 is not new. As                               sector.\xe2\x80\x9d\nearly as 1977, the Government Accountability Office2\n                                                                          The President\xe2\x80\x99s Identity Theft Task Force\nreported that the IRS tax return mailing procedures and                  \xe2\x80\x9cCombating Identity Theft: A Strategic Plan\xe2\x80\x9d\npractices needed more stringent controls. Some of those                                  April 2007\nsame issues are relevant today.\nTo address the concern about the Federal Government\xe2\x80\x99s protection of personal information, the\nPresident\xe2\x80\x99s Task Force on Identity Theft was established by Executive Order 13,4023 on\nMay 10, 2006. It was charged with developing a strategic plan for the Federal Government to\ncombat identity theft and recommending actions for the public and private sectors should take.\nConsumers wrote to the Task Force, urging the public and private sectors to do a better job of\nprotecting their Social Security Numbers (SSNs), and many discussed the challenges raised by\nthe overuse of SSNs as identifiers.\nAccording to the Task Force\xe2\x80\x99s strategic plan, identity theft depends on access to consumer data.\nData compromises can expose consumers to the threat of identity theft or related fraud, damage\nthe victim\xe2\x80\x99s reputation, and carry financial costs for everyone involved. Although the strategic\nplan was not released until April 2007, an interim recommendation suggested that the Office of\nManagement and Budget (OMB) issue data breach guidance to all agencies. In September 2006,\nthe OMB issued guidance to Federal agencies for responding to data breaches. On\nMay 22, 2007, the OMB issued a memorandum requiring agencies to develop and implement a\nbreach notification policy within 120 days.\nHardcopy PII maintained by the Internal Revenue Service (IRS) is subject to the Privacy Act of\n1974 and the Federal Information Security Management Act of 2002 (FISMA). The Privacy Act\n\n1\n  Personally identifiable information (PII) refers to information that can be used to distinguish or trace an\nindividual\xe2\x80\x99s identity, such as their name, Social Security Number, biometric records, etc., alone or when combined\nwith other personal or identifying information which is linked or linkable to a specific individual, such as date and\nplace of birth, mother\xe2\x80\x99s maiden name, etc. Hardcopy PII is in paper or other physical form rather than electronic\nformat, such as on a laptop.\n2\n  IRS\xe2\x80\x99 Security Program Requires Improvements to Protect Confidentiality of Income Tax Information GGD-77-44\nJuly 11, 1977.\n3\n  Executive Order No. 13,402, 3 C.F.R. 225-228 (2007), amended by Executive Order No. 13,414, C.F.R. 250\n(2007).\n                                                                                                                  Page 1\n\x0c                       The Program to Protect Hardcopy Personally Identifiable\n                                 Information Is a Work-in-Progress\n\n\n\nprohibits disclosure of records without consent of the individual to whom the record pertains.\nThe FISMA requires each agency to follow National Institute of Standards and Technology4\nguidance and standards by implementing procedures for detecting, reporting, and responding to\nsecurity incidents. The FISMA also requires agencies to notify and consult with the Federal\nInformation Security Incident Center, law enforcement agencies, and the agency Inspector\nGeneral on any reported incidents.\nBecause of the nature of IRS work processes, a tremendous volume of taxpayer and employee\nPII is at risk. The IRS ships packages from office to office primarily via the United States Postal\nService and the United Parcel Service (UPS). In Fiscal Year 2007 more than 3 million packages\nwere shipped via UPS and an additional 10,000 by Federal Express. While some UPS packages\nare damaged, misdirected or lost, disclosures from these types of incidents are minimal.\nThis inspection was performed at the IRS National Headquarters in Washington, D.C., and in the\nOffice of Privacy, Information Protection, and Data Security ([PIPDS] hereafter referred to as\nthe Office) during the period April through May 2008. This review was performed in\naccordance with the President\xe2\x80\x99s Council on Integrity and Efficiency Quality Standards for\nInspections. Detailed information on our inspection objective, scope, and methodology is\npresented in Appendix I. Major contributors to the report are listed in Appendix II.\n\n\n\n\n4\n  The National Institute of Standards and Technology (NIST) is a part of the U.S. Department of Commerce and is\nresponsible for developing standards that other Federal agencies are required to follow.\n                                                                                                         Page 2\n\x0c                    The Program to Protect Hardcopy Personally Identifiable\n                              Information Is a Work-in-Progress\n\n\n\n\n                                 Results of Review\n\nThe Social Security Administration reports that identity theft is one of the fastest growing crimes\nin the United States. Several widely publicized incidents have amplified the need to prevent\ninadvertent information disclosures and to respond quickly when disclosures occur. The OMB\nprovided the Executive Branch with guidance on protecting PII.\nIn response to this quickly evolving environment, the IRS established an office to oversee the\nprotection of private information and data. As part of its current initiatives, the Office is\nstudying all reported incidents of potential disclosure and how hardcopy data is shipped to\nvarious destinations. It has assessed how PII is used, how it might be inadvertently disclosed,\nhow to limit such disclosures, and how it can better respond when disclosures occur.\nAdditionally, the Office is studying ways to eliminate the use of SSNs when feasible. Finally, it\nis spearheading an agency-wide review called Operation R.E.D. (Review, Encrypt, and Decide)\nto remind employees of their role in properly safeguarding information.\nLess than a year after its creation, the Office has had significant accomplishments. It has\ninvestigated over 300 potential data breaches to determine whether taxpayer notification is\nappropriate. It also has studied and developed recommendations to reduce the use of SSNs when\nappropriate. We recognize that many problems with hardcopy PII protection have been long-\nterm problems, and these will not be solved easily. The Office has identified these problems and\nhas plans, or has already initiated actions, to address them.\nOur inspection identified some areas where additional actions could improve operations. First,\nwe found that hardcopy PII cases could not be readily distinguished from electronic PII or mixed\nmedia incidents in the incident reporting database. Second, not all packages contain a list of\nitems shipped, and package originators do not always monitor package delivery and initiate\nappropriate actions if packages are lost. Third, formal procedures to improve how packages are\nassembled and shipped have not been issued. Fourth, the study on shipping hardcopy PII being\nconducted by a consulting firm did not include shipments to Federal Records Centers.\n\nThe Office of Privacy, Information Protection and Data Security Has\nSignificant Accomplishments in Less Than a Year of Operation\nThe IRS established the Office in July 2007. It reports directly to the Deputy Commissioner,\nOperations Support, and functions at the same organizational level as the Chief Information\nOfficer, the Chief Financial Officer, the Human Capital Officer, and the Chief, Agency-Wide\nShared Services. As of April 2008, the Office had a staff of about 40 employees.\n\n\n                                                                                            Page 3\n\x0c                         The Program to Protect Hardcopy Personally Identifiable\n                                   Information Is a Work-in-Progress\n\n\n\nThe organizational mission of this Office is: \xe2\x80\x9cTo preserve and enhance public confidence by\nadvocating for the protection and proper use of identity information.\xe2\x80\x9d\nThe Office has two components: Privacy and Information Protection (OPIP); and Online Fraud\nDetection and Prevention (OFDP). Our inspection was limited to the OPIP, which performs its\nmission through two staffs designed to focus on specific technical areas in privacy and identity\nprotection.\nRecent major accomplishments of OPIP include developing assessment and notification\nprocedures to evaluate the significance of reported disclosures, studying the causes of disclosures\nduring shipping, and studying methods to reduce or eliminate the use of SSNs when feasible.\nBelow is a description of these areas.\n\nBreach Notification Policy\nThe OPIP developed its breach notification process based on OMB guidance. It created a\nprocess to assess reported potential disclosures, determine the likelihood that a disclosure did\noccur, and make recommendations on whether individual taxpayers must be notified. An OPIP\nteam receives incident reports from the Computer Security Incident Response Center (CSIRC) of\npotential information breaches. The team performs a risk assessment on each incident,\nsummarizes the facts developed, and recommends whether individual taxpayers should be\nnotified that their PII might have been disclosed. In cases where notification is recommended,\nthose cases are forwarded for review and, if the Identity Theft and Incident Management\nExecutive Advisory Committee5 concurs with the decision, taxpayers are notified. The level of\nrisk associated with a potential disclosure incident is summarized in Figure 1.\n                                           Figure 1: Risk Levels\n      RISK ASSESSMENT                 RISK\n                                                                    DESCRIPTION\n             LEVEL                    CODE\n      Level One                       Green        Risk of identity theft or other harm is unlikely.\n      Level Two                       Yellow       Risk of identity theft or other harm is possible.\n      Level Three                      Red         Risk of identity theft or other harm is likely.\n                                                   The information could compromise National\n      Level Four                        Blue       Security, Grand Jury, or Criminal Investigation.\n     Source: Derived by IRS Privacy, Information Protection and Data Security from OMB guidance.\n\n\n\n\n5\n    See Appendix IV for a list of the Committee members.\n                                                                                                   Page 4\n\x0c                           The Program to Protect Hardcopy Personally Identifiable\n                                     Information Is a Work-in-Progress\n\n\n\nNotification groups have been established to issue letters specifically designed for this program.\nThe letters offer individuals credit monitoring provided through Equifax6 for 1 year. This offer\ndoes not extend to businesses, but other avenues are being explored that would not preclude\nnotification to businesses if financial data was breached. In addition, a dedicated toll-free\nnumber has been established to handle taxpayers\xe2\x80\x99 inquiries related to personal information\ndisclosure cases. All other IRS Customer Service Representatives have been instructed about\nwhere to route personal information disclosure calls.\nAdditionally, in January 2008, the IRS created an indicator code for application to the accounts\nof taxpayers who have been determined to be the victims of identity theft, regardless of how it\noccurred. The IRS expects that by January 2009 this code will allow legitimate returns to be\nproperly processed and will prevent questionable returns from being associated with the\ntaxpayers\xe2\x80\x99 accounts. In the fall of 2008, the IRS will also implement new indicator codes to\nplace on the accounts of three additional taxpayer groups: 1) self-identified victims of identity\ntheft who have not yet experienced a problem with their tax accounts;\n2) IRS-identified victims of identity theft; and 3) individuals who have received breach\nnotification letters from the IRS.\nWe reviewed the 63 potential disclosure incidents reported during the period January 2008\nthrough March 2008 and found that 21of the cases involved hardcopy PII being shipped by the\nIRS via UPS. Fourteen of the 21 cases were categorized as Code Red incidents (risk of identity\ntheft or other harm is likely), and the decision was made to notify the 90 affected individuals and\noffer them credit monitoring services.\nThe largest number of individuals affected by a hardcopy incident, however, is likely to be those\ninitiated by an IRS computer application. For example, on December 11, 2007, an incident was\nreported in which 9,951 letters were mailed to taxpayers containing account information for a\ntaxpayer other than themselves. These taxpayers were notified of the disclosure and were\noffered credit monitoring services.\nWhen performing our review, we found that for CSIRC the \xe2\x80\x9chardcopy only\xe2\x80\x9d PII cases could not\nbe readily distinguished from the electronic PII cases or mixed media incidents. For information\npurposes and trend analyses, the capability to separate the two types of cases could be beneficial\nand would eliminate a manual process. The OPIP maintains a separate database intended to\nfacilitate this type of analysis while programming changes are being pursued for the CSIRC\nreports. A revision to the report intake form is also underway.\n\n\n\n\n6\n    Equifax is a consumer credit reporting agency. It is not a government entity.\n                                                                                            Page 5\n\x0c                    The Program to Protect Hardcopy Personally Identifiable\n                              Information Is a Work-in-Progress\n\n\n\nRecommendation\nRecommendation 1: We recommend that the Director, Privacy, Information Protection and\nData Security collaborate with the Director, Computer Security Incident Response Center to\ndevelop a specific category code to segregate the hardcopy PII losses from other data losses.\n       Management\xe2\x80\x99s Response: IRS management will continue to update reporting and\n       tracking processes to support identifying trends and develop mitigation strategies.\n       Management found that the CSIRC database has the capability to segregate hardcopy PII\n       losses from other data losses.\n\nShipping Hardcopy PII\nThe inadvertent disclosure of PII during shipping has been identified as a priority. The OPIP has\ncontracted with a consulting firm to complete an Enterprise-wide Risk and Compliance\nAssessment on shipping by August 2008. The IRS shipped more than 3 million packages with\nUPS and millions more pieces domestically through the United States Postal Service during\nFiscal Year 2007. This mail included over 150 million letters and notices mailed to taxpayers in\naddition to tax returns and files shipped between IRS offices, many containing hardcopy PII.\nAccording to IRS officials, in FY 2007, 183 packages sent via UPS were reported lost or\ndamaged in shipment. However, two were determined to contain office supplies and did not\npose any disclosure risk. Of the 181 packages for which disclosure might have been an issue, 21\nwere identified by IRS employees and of these, 18 were recovered and 3 remain unaccounted\nfor. UPS notified the IRS of 160 lost or damaged packages that it identified. The status of the\n160 packages is shown in Figure 2 on the next page.\n\n\n\n\n                                                                                          Page 6\n\x0c                      The Program to Protect Hardcopy Personally Identifiable\n                                Information Is a Work-in-Progress\n\n\n\n\n                               Figure 2: Status of UPS Packages\n   NUMBER\n     OF                                    RESULTS OF INVESTIGATION\n  PACKAGES\n                    The packages were sent to the UPS mail facility and were jointly reviewed\n       77           by the UPS and the IRS\xe2\x80\x99s Postal and Transport Policy staff.\n                    The packages were empty upon discovery and the shipping label or UPS\n                    billing invoice did not include a named individual shipper or receiver;\n                    however, there was enough information to determine that they were being\n                    shipped to and from large IRS offices. Neither the IRS nor UPS know the\n       28           extent of potential disclosure from these packages.\n       26           The packages were damaged and the contents returned to the IRS.\n                    Packages were sent to the UPS mail facility but were identified by the IRS\n       17           and forwarded to the correct destinations.\n                    Shippers or receivers were identified and notified of the loss and the\n       12           documents were recovered.\nSource: IRS Postal and Transport Policy Staff.\n\nA couple of observations can be made from the loss of these packages. First, the evidence\nsuggests that originators do not always complete the Document Transmittal, Form 3210. This\nform identifies the specific documents that are being shipped. IRS procedures require that\noriginators follow up if a receipt copy of the Form 3210 is not received. Second, originators did\nnot always use the tracking features provided by UPS to ensure that the package reached its\ndestination.\nAccording to the IRS staff responsible for postal and transport policy within the IRS, UPS\npackages are delayed or fail to reach their intended destination largely because:\n   \xe2\x80\xa2   The package is improperly packed. This allows the contents to shift during shipment and\n       can cause the packages to fall. If the box breaks, some or all of the contents can be\n       visible to vendor employees.\n   \xe2\x80\xa2   The outer label is the only source that identifies the shipping and receiving locations. In\n       some cases the labels are torn off or are rendered unreadable.\n   \xe2\x80\xa2   The package is improperly sealed, and this can lead to documents being separated from\n       the package.\n\n\n\n\n                                                                                             Page 7\n\x0c                         The Program to Protect Hardcopy Personally Identifiable\n                                   Information Is a Work-in-Progress\n\n\n\nGuidelines and shipping instructions for packages containing sensitive PII documents are\navailable on the IRS web site and the IRS has published Package Preparation Guidelines.7 In\naddition, the OPIP is working with over 50 contracted mailrooms to accept recommendations\nresulting from the shipping risk assessment.\nDuring this inspection, we noted that shipments of tax returns and other documents to Federal\nRecords Centers were not included in the shipping risk assessment. These shipments often\ninclude tax returns and usually contain PII. Due to unique requirements,8 the OPIP is\nconsidering conducting a separate Federal Records Center shipment risk assessment. In 2004\nand 2007, the Treasury Inspector General for Tax Administration and the Government\nAccountability Office9 both reported that the IRS needed a better system to track case files\nbecause many could not be located.\n\n\nRecommendations\nWe recommend that the Director, Privacy, Information Protection and Data Security:\nRecommendation 2: Require originators to list identifying taxpayer data (excluding the SSN)\non the Form 3210 (Document Transmittal) or other document that lists all items being sent to\nensure that specific documents can be identified for notification when a loss occurs.\n         Management\xe2\x80\x99s Response: IRS management agrees that the IRS should continue to\n         educate employees on existing shipping policies and procedures, including the use of the\n         Form 3210. The effectiveness of the document transmittal process will also be evaluated\n         during a shipping process risk assessment.\nRecommendation 3: Implement requirements for: 1) mandatory monitoring of all shipments\nby the originator to ensure receipt or initiate follow-up actions as appropriate; 2) following the\nsuggestions of the Postal and Transportation Policy unit to improve packing to prevent\nmovement within the shipping box; 3) using duplicate UPS shipping labels, preferably with the\ntracking number securely attached to the inner package contents, which should be wrapped or\ndouble-boxed, and; 4) using shipping tape, in addition to the peel and stick adhesive strip\nsupplied on the box, for those packages exceeding five pounds.\n         Management\xe2\x80\x99s Response: IRS management agrees that the IRS should continue to\n         update policies and procedures to strengthen shipping controls. Because of the\n\n7\n  IRS Document 12506 [9-2007].\n8\n  Examples of some of the unique requirements are: special regulation boxes with specific labels, Standard Form\n135, for determination of future disposition; and in the case of grand jury records, special red printed tape for grand\njury records.\n9\n  Better Procedures Are Needed to Locate, Retrieve, and Control Tax Records (Reference Number 2004-10-186,\ndated September 2004) and Tax Administration: The Internal Revenue Service Can Improve Management of Paper\nCase Files (Reference Number GAO-07-1160, dated September 2007).\n                                                                                                                Page 8\n\x0c                    The Program to Protect Hardcopy Personally Identifiable\n                              Information Is a Work-in-Progress\n\n\n\n       importance of this topic, the IRS is conducting a shipping process risk to further provide\n       insight and validation for these and other improvement opportunities. The Director,\n       PIPDS, will continue to work with key stakeholders in various offices across the\n       enterprise to implement procedural improvements to strengthen IRS shipping procedures.\nRecommendation 4: Perform a risk assessment of the shipments of documents to the Federal\nRecord Centers.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n       scope of the shipping risk assessment will include the shipping of tax returns and other\n       taxpayer and employee data from IRS facilities to the Federal Record Centers.\n\nImplementation of the Social Security Number Reduction and Elimination Plan\nThe Office of Personnel Management is creating a Unique Identification Number to replace\nSSNs on official employment records. Implementation of the nine-digit number is expected by\nNovember 2008. The OPIP submitted a plan for SSN Elimination and Reduction to the\nDepartment of the Treasury in August 2007, issued the Internal Revenue Service Social Security\nNumber Elimination and Reduction Implementation Plan on November 29, 2007, and expects to\ncomplete all the actions in the plan by March 2009.\nThe IRS is cataloguing and assessing the collection, usage, and display of the SSNs in five core\nareas:\n   \xe2\x80\xa2   Taxpayer notices.\n   \xe2\x80\xa2   Human Resources systems.\n   \xe2\x80\xa2   Internal management systems.\n   \xe2\x80\xa2   Operational systems.\n   \xe2\x80\xa2   Paper Loss/Hard Copy Documents, in addition to the FISMA inventory. The focus on\n       Paper Loss/Hard copy will address the protection of documents during shipping and\n       storage, and system errors, such as double stuffing (notices for more than one taxpayer\n       are inserted into one envelope).\nThe project team will develop policies and procedures detailing the requirements for using SSNs,\nwhen necessary, and eliminating or reducing their use when not necessary. This would include\nusing only the last four digits of the SSN, a unique identifier, or just a person\xe2\x80\x99s name in\ncorrespondence. The plan also proposes other alternatives to the SSN, such as barcodes and\nPersonal Identification Numbers. The team also met with the Social Security Administration\nstaff to better understand how to reduce the use of SSNs as personal identifiers. These efforts\nhave resulted in a number of successes, including the partial masking of SSNs on 18 Automated\n\n\n\n                                                                                           Page 9\n\x0c                        The Program to Protect Hardcopy Personally Identifiable\n                                  Information Is a Work-in-Progress\n\n\n\nCollection System10 notices beginning in 2009. Two other SSN usage reductions occurred this\nyear. The SSNs on Federal tax lien documents filed in public records were partially redacted,\nand they were also redacted on the economic stimulus payment notices sent to taxpayers.\n\nOperation R.E.D. (Review, Encrypt and/or Safeguard and Decide) Is in Progress\nOn April 16, 2008, Commissioner Shulman introduced the Operation R.E.D. initiative. This is\nan agency-wide effort to remind IRS employees of existing policies and procedures about\nsafeguarding and protecting sensitive information. By June 30, 2008, employees were required\nto have completed the following process:\n     \xe2\x80\xa2   Reviewed their electronic files and paper holdings for sensitive information that is\n         required to be secured.\n     \xe2\x80\xa2   Encrypted (electronic) and safeguarded (paper) all sensitive information covered by a\n         \xe2\x80\x9cneed to know\xe2\x80\x9d (a continued business need to keep in their possession).\n     \xe2\x80\xa2   Decided whether information they no longer need to know should be archived or\n         destroyed.\nGuidance for both managers and employees, including encryption and safeguarding instructions,\nhas been published on the IRS intranet. The guidance includes reiterating IRS\xe2\x80\x99s Clean Desk\npolicy, and requires that protected data must be stored in a locked container when non-IRS\npersonnel have area access during non-duty hours. Furthermore, when PII is in an unsecured\narea, including in an employee\xe2\x80\x99s home, it must be stored in a locked container during non-duty\nhours. Finally, documents stored offsite, such as at the taxpayer\xe2\x80\x99s office, must be in containers\nwith bars and locks.\nThe guidance also suggests good document shipping practices. It states that when employees\nship documents to another IRS facility, they should: 1) use UPS; 2) double wrap or double box\nthe contents; 3) place shipping labels both inside the envelope or box and on the outside; and 4)\nmonitor the tracking number to confirm receipt. Shipments of tax returns and information will\nbe documented on Form 3210 and monitored to ensure that the shipment is received and\nacknowledged in a proper and timely manner. Every IRS office that ships tax returns and return\ninformation shall designate specific individuals to be responsible for monitoring the shipments.\nIn addition, employees are required to follow the recordkeeping requirements of the Internal\nRevenue Manual for Recordkeeping and Disclosures. The guidance also provides PII loss\nprocedures and instructs employees to notify their manager, CSIRC, TIGTA, and the police, if\napplicable. Managers are required to certify that Operation R.E.D. was discussed with\nemployees and that the employees were given time to complete Operation R.E.D. activities.\n\n\n10\n  A telephone contact system through which telephone assistors collect unpaid taxes and secure tax returns from\ndelinquent taxpayers who have not complied with previous notices.\n                                                                                                         Page 10\n\x0c                    The Program to Protect Hardcopy Personally Identifiable\n                              Information Is a Work-in-Progress\n\n\n\n                                          SUMMARY\n\nThe Office of Privacy, Information Protection and Data Security has made significant\nachievements in a relatively short time period. The overwhelming majority of hardcopy PII that\nis shipped arrives without incident. However, for the packages that are compromised, the\npotential for identify theft is often high. The continued efforts to remind employees to safeguard\nhardcopy PII should help mitigate the risks of shipping documents between offices.\n\n\n\n\n                                                                                          Page 11\n\x0c                         The Program to Protect Hardcopy Personally Identifiable\n                                   Information Is a Work-in-Progress\n\n\n\n                                                                                                     Appendix I\n\n          Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine what actions the Internal Revenue Service\n(IRS) is taking to protect hardcopy personally identifiable information (PII)1 that is shipped from\noffice to office and how the IRS responds when a potential disclosure of hardcopy PII occurs.\nThis review was conducted because the Inspector General has expressed concerns about the\nnumber of hardcopy PII loss incidents that have come to his attention over the past several\nmonths. While most attention to PII is rightfully on PII in electronic format, the IRS still\ntransports large volumes of hardcopy PII outside of the agency\xe2\x80\x99s physical perimeter via\ncommercial vendors (primarily via UPS) and the U.S. Postal Service.\nWe reviewed all 63 incidents reported to the Incident Management Team in the period\nJanuary 1, 2008 through March 31, 2008. We found that 21 of the 63 (33 percent) involved\nhardcopy PII that was shipped via UPS. To accomplish our objective, we:\nI.       Determined what hardcopy PII includes and what is at risk.\n         A. Determined what hardcopy PII is mailed between IRS offices.\n         B. Determined what hardcopy PII is sent to taxpayers and/or their representatives.\nII.      Determined what legislative, regulatory, and administrative requirements exist that\n         address hardcopy PII.\n         A. Determined what general laws pertain to hardcopy PII.\n         B. Determined what IRS-specific laws pertain to hardcopy PII.\n         C. Determined what OMB requirements pertain to hardcopy PII.\nIII.     Determined the organizational context of hardcopy PII.\n         A. Determined the volume of annual mailings of notices and letters.\n         B. Determined the volume of annual shipment of small packages.\n         C. Determined the volume of annual hardcopy PII losses.\n\n1\n  Personally identifiable information (PII) refers to information that can be used to distinguish or trace an\nindividual\xe2\x80\x99s identity, such as their name, Social Security Number, biometric records, etc., alone or when combined\nwith other personal or identifying information which is linked or linkable to a specific individual, such as date and\nplace of birth, mother\xe2\x80\x99s maiden name, etc. Hardcopy PII is in paper or other physical form rather than electronic\nformat, such as on a laptop.\n                                                                                                             Page 12\n\x0c                  The Program to Protect Hardcopy Personally Identifiable\n                            Information Is a Work-in-Progress\n\n\n\nIV.   Determined IRS efforts to address hardcopy PII.\n      A. Determined the Office established to address protection of hardcopy PII.\n      B. Determined IRS policies and procedures regarding hardcopy PII.\n      C. Determined what current actions have been taken to address hardcopy PII.\nV.    Determined the IRS Breach Notification Policy.\n      A. Determined the IRS policies and procedures regarding reporting breaches.\n      B. Determined how reported breaches are addressed.\n      C. Determined the breach notification process in place.\n\n\n\n\n                                                                                    Page 13\n\x0c                    The Program to Protect Hardcopy Personally Identifiable\n                              Information Is a Work-in-Progress\n\n\n\n                                                                         Appendix II\n\n                 Major Contributors to This Report\n\nKevin P. Riley, Acting Director, Office of Inspections and Evaluations\nDolores Castoro, Lead Auditor\nLinda P. Lee, Program Analyst\n\n\n\n\n                                                                              Page 14\n\x0c                  The Program to Protect Hardcopy Personally Identifiable\n                            Information Is a Work-in-Progress\n\n\n\n                                                                   Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nChief, Privacy, Information Protection, and Data Security OS:P\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Assessment RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Operations Support\n\n\n\n\n                                                                         Page 15\n\x0c      The Program to Protect Hardcopy Personally Identifiable\n                Information Is a Work-in-Progress\n\n\n\n                                                    Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                           Page 16\n\x0cThe Program to Protect Hardcopy Personally Identifiable\n          Information Is a Work-in-Progress\n\n\n\n\n                                                     Page 17\n\x0cThe Program to Protect Hardcopy Personally Identifiable\n          Information Is a Work-in-Progress\n\n\n\n\n                                                     Page 18\n\x0cThe Program to Protect Hardcopy Personally Identifiable\n          Information Is a Work-in-Progress\n\n\n\n\n                                                     Page 19\n\x0c'